NetBSD Problem Report #59214
From www@netbsd.org Tue Mar 25 21:05:06 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 26FAC1A9239
for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 Mar 2025 21:05:06 +0000 (UTC)
Message-Id: <20250325210504.75F201A923D@mollari.NetBSD.org>
Date: Tue, 25 Mar 2025 21:05:04 +0000 (UTC)
From: jlduran@gmail.com
Reply-To: jlduran@gmail.com
To: gnats-bugs@NetBSD.org
Subject: blocklist: ssh: Add Failed PAM authentication probe
X-Send-Pr-Version: www-1.0
>Number: 59214
>Category: bin
>Synopsis: blocklist: ssh: Add Failed PAM authentication probe
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 25 21:10:00 +0000 2025
>Closed-Date:
>Last-Modified: Sat Apr 12 23:17:29 +0000 2025
>Originator: Jose Luis Duran
>Release: trunk
>Organization:
>Environment:
>Description:
When a failed PAM authentication attempt is received, blocklistd should count it towards the total allowed number of failures.
Also there is a probe under monitor.c that often gets logged along with other offenses, effectively counting as two (+2) failures towards the maximum allowed.
>How-To-Repeat:
Try to authenticate an SSH session using PAM and check blocklistd logs.
>Fix:
Subject: [PATCH] blocklist: ssh: Add Failed PAM authentication probe
Also remove the probe from monitor.c, as it will count twice towards
nfails.
Obtained from: FreeBSD
---
crypto/external/bsd/openssh/dist/auth-pam.c | 2 ++
crypto/external/bsd/openssh/dist/monitor.c | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/external/bsd/openssh/dist/auth-pam.c b/crypto/external/bsd/openssh/dist/auth-pam.c
index ce60b9898f7f..834298ca08d8 100644
--- a/crypto/external/bsd/openssh/dist/auth-pam.c
+++ b/crypto/external/bsd/openssh/dist/auth-pam.c
@@ -119,6 +119,7 @@ __RCSID("$NetBSD: auth-pam.c,v 1.23 2024/07/11 17:26:53 riastradh Exp $");
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "pfilter.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -958,6 +959,7 @@ sshpam_query(void *ctx, char **name, char **info,
sshbuf_free(buffer);
return (0);
}
+ pfilter_notify(1);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
diff --git a/crypto/external/bsd/openssh/dist/monitor.c b/crypto/external/bsd/openssh/dist/monitor.c
index bd9ab72fc72f..ca10b4ab5968 100644
--- a/crypto/external/bsd/openssh/dist/monitor.c
+++ b/crypto/external/bsd/openssh/dist/monitor.c
@@ -1273,7 +1273,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
} else {
/* Log failed attempt */
auth_log(ssh, 0, 0, auth_method, NULL);
- pfilter_notify(1);
free(cuser);
free(chost);
}
--
Jose Luis Duran
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59214 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Tue, 25 Mar 2025 20:08:20 -0400
Module Name: src
Committed By: christos
Date: Wed Mar 26 00:08:20 UTC 2025
Modified Files:
src/crypto/external/bsd/openssh/dist: auth-pam.c monitor.c
Log Message:
PR/59214: jlduran: When a failed PAM authentication attempt is
received, blocklistd should count it towards the total allowed
number of failures. Also there is a probe under monitor.c that
often gets logged along with other offenses, effectively counting
as two (+2) failures towards the maximum allowed.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/external/bsd/openssh/dist/auth-pam.c
cvs rdiff -u -r1.47 -r1.48 src/crypto/external/bsd/openssh/dist/monitor.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 12 Apr 2025 23:17:29 +0000
State-Changed-Why:
Looks like this was fixed in HEAD, needs pullup-10 and maybe pullup-9?
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home